Forget the NSA. Tech Companies May Be Reading Your Email Too

Photo: Jim Merithew/WIRED

Ever since Edward Snowden revealed the NSA’s widespread efforts to eavesdrop on the web’s most popular services — including Google and Microsoft and Facebook — the leaders of these companies have called on the government to be more transparent about the data it’s lifting wholesale from their private operations.

But lost in this debate over privacy and national security is another question: How often are these internet companies snooping on their customers themselves? You can now read polished and detailed “transparency reports” that explain how often Google, Facebook, and Microsoft respond to government requests for user data, but these reports don’t say how often the companies are doing this on their own.

It’s a question that came to the fore this week when Microsoft helped U.S. authorities arrest Alex Kibkalo, a Microsoft employee who allegedly leaked company secrets to an outside blogger. Microsoft identified Kibkalo after rummaging through the blogger’s private email account, which happened to run on its own email service, Hotmail.

These email services are not free. We’re playing a high price for these e-mail services when we click: ‘I agree.’

–Nicole Ozer, ACLU

All of the big web companies have detailed privacy policies, but they generally give themselves broad rights to access customer email if they’re protecting their own rights, says Nicole Ozer, technology and civil liberties policy director at the ACLU. “This situation should be a bit of a wakeup call,” she says of the Microsoft incident. “These email services are not free. We’re playing a high price for these email services when we click, ‘I agree.'”

How big of a wakeup call? On Thursday, after fielding questions from reporters about the Kibkalo situation, Microsoft suddenly announced that, in its bi-annual transparency reports, it will start publishing information about how often it accesses private customer data in this way.

That’s a major policy change. Here’s what led to the incident. Upset over a bad performance review, Kibkalo allegedly leaked an unreleased version of Microsoft’s Windows 8 operating system to a blogger in France. According to court documents, the August 18, 2012, Windows leak sparked an intense internal investigation, and the turning point came in September 2012, when an unnamed source tipped off Steven Sinofsky, the president of Microsoft’s Windows Division at the time.

The source gave Sinofsky a Hotmail address that belonged to the French blogger (also not named) and said that the blogger was the person who had received the leaked software. Microsoft had already been interested in the blogger, but apparently, after the tip-off, the company’s security team did something that raised alarm bells with privacy advocates. Instead of taking their evidence to law enforcement, they decided to search through the blogger’s private messages themselves. Four days after Sinofsky’s tip-off, Microsoft lawyers “approved content pulls of the blogger’s Hotmail account,” the court filings state.

By trolling through the Hotmail email messages and MSN Messenger instant message logs, Microsoft learnt how Kibkalo and the blogger pulled off the leak, says Federal Bureau of Investigation special agent Armando Ramirez III, in an affidavit filed in connection with the case. Microsoft handed over the results of its investigation to the FBI in 2013, and Kibkalo was arrested on Wednesday.

In a statement, Microsoft said that this kind of search happens “only in the most exceptional circumstances.” But the company couldn’t say how many of these searches it has done in the past.

The Freedom to Snoop

The big issue here is that Microsoft’s terms of service give the company broad rights to look through your messages for the purposes of enforcing its end-user licensing agreement. That agreement prohibits users from uploading stolen software, but it bans a lot of other behaviors too, including using its services to advocate “vulgarity” or “profanity.” It’s a “pretty broad” list of prohibitions, all of which could result in a search, says Hanni Fakhoury, staff attorney with the Electronic Frontier Foundation.

In an email interview, Fakhoury said that publishing data on Microsoft’s internal searches would be very useful. “Its hard to take Microsoft’s assurances that it respects user privacy and wants to stop government snooping when it does exactly what the it doesn’t want the government to do,” he said.

In fact, none of the companies that WIRED reached out to for this article — Microsoft, Google, and Facebook — could tell us how often user accounts were searched by internal teams or what processes they have to ensure that these search capabilities are not abused.

It’s a sensitive topic. Since the Snowden revelations, the web giants have had to work hard to restore confidence in their services. After all, if people stop handing over personal information to Facebook and Google, it makes it a lot harder for them to sell targeted ads. “Now, we’re starting to find out how often the government is searching through or accessing our information for their own investigations,” says Ozer. “But the companies don’t [say] how often they’ve actually used their own discretion to search users information.”

Last July, in the heat of the first Edward Snowden revelations, Microsoft general counsel Brad Smith wrote a letter to U.S. Attorney General Eric Holder, urging him to allow Microsoft to tell the public how many national security requests it responds to. Smith argued that “this information is likely to help allay public concerns.” He wasn’t the only one to call for more transparency. Facebook and Google made similar pleas.

Now that we know Microsoft’s security teams are snooping on our email too, maybe it’s time for all of the web companies to listen to their own advice.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.